In response to high-profile intrusions at Target Corp., Neiman Marcus, Home Depot, Inc. and a host of other retailers, California recently passed new legislation implementing small but significant changes to its privacy laws.

On September 30, 2014, Governor Jerry Brown signed Assembly Bill 1710, authored by Assembly Members Roger Dickinson (D-Sacramento) and Bob Wieckowski (D-Fremont).  AB 1710 enhances consumer protections by strengthening the requirements businesses must adhere to in the event of a breach.

“Recent breaches emphasized the need for stronger consumer protections and awareness.  The retailers affected by the recent mega data breaches are not the first nor will they be the last,” said Dickinson, Chair of the Assembly Banking and Finance Committee.  “AB 1710 will increase consumer privacy, ensure appropriate fraud and identity theft protection, and safeguard against the exploitation of personal information.”

Specifically, AB 1710:

• Requires the source of the breach to offer identity theft prevention mitigation services at no cost to the affected person for no less than 12 months if a Social Security Number or Driver’s license number are breached;
• Prohibits the sale of social security numbers, except when part of a legitimate business transaction; and
• Provides that existing personal information data security obligations apply to businesses that maintain personal information, in addition to those who own or license the information.

Earlier versions of AB 1710 placed limits on the amount of payment information a retailer could store in its system; it also mandated more stringent encryption standards.  But a coalition of business groups opposed the bill—claiming the data management rules were “onerous and unneeded,” and that it would be ineffective for protecting customer data.  Although these provisions were ultimately removed, Dickinson told news outlets he intends to pick up the notification issue during the next legislative session.  He will also pursue future legislation to tighten encryption standards in California.

Not surprisingly, such legislation follows closely on the heels of a report released by California Attorney General Kamala Harris in February of 2014.  Titled Cybersecuity in the Golden State, the report details how in 2012 more than 2.5 million California residents were victimized by data breaches—more than half of which would have been protected had companies implemented stricter encryption procedures when transmitting personal data.

In light of AB 1710, retailers and consumer-facing business that “maintain” personal information (even if they do not own or license such data) should familiarize themselves with the parameters of the new law to ensure their data security procedures satisfy the law’s “reasonable security” requirement.

A copy of AB 1710 is available here.  The Attorney General report is available here.